↳ In-reply-to » One thing about my design here is that it would no longer incorporate "regex"-based rules like OWASP, mostly because my experience thus far has taught me that these rules are kind of overly sensitive, produce false positives and I'm not sure they are really very effective. For example, why is the point of performing SQL injection detection at the Edge using a WAF if you already handle SQL properly in the first place? (seriously does anyone still construct SQL queries by hand with effectively printf?!)

@prologic@twtxt.net There have always been and there will always be people who have absolutely no clue what they’re doing. I’ve been 100% one of them when I started. Guaranteed, heaps of new SQL injections are born every single day, numbers rising.

That doesn’t justify all the WAF crap in the first place, though. In my opinion it’s just a filthy plaster applied to an injected wound. The software itself must be secure. Otherwise, don’t put that shit on the internet. Probably not even operate it at all. Nowhere. Fix it or throw it in the bin.